Security researcher publishes 10 million passwords despite fear of FBI

Stylized Locks with Ones and Zeros

This is the state of cybersecurity research now.

For whatever reason, people on the Internet still have trouble creating secure passwords. To better understand how and why people choose the passwords and usernames they do, one security researcher is releasing a massive trove of data in an effort to improve password security.

Mark Burnett released 10 million passwords on Monday. He collected the data from publicly available datasets leaked in the last decade by blackhat attackers. Burnett removed the identifying factors such as the domain portion of the email address.

He believes the combinations are “dead passwords,” meaning they are effectively useless to hackers or anyone trying to use them for fraudulent purposes.

Although Burnett collected and released this data exclusively for research purposes to better understand human behavior, he couched the release heavily, writing at length about why he shouldn’t be arrested by the FBI.

Burnett’s concerns stem from the aggressive prosecution of journalist Barrett Brown, who was charged with, among other things, sharing a link to data that included email addresses and credit card information. Brown’s arrest and prosecution led some journalists, activists, and security researchers to step down from their posts for fear of arrest based on similar charges.

Additionally, the Obama administration has proposed changes to the Computer Fraud and Abuse Act, which for now protects the release of data like the 10 million passwords Burnett posted this week, thanks to the researcher’s purpose of doing so without the intent to cause harm. If the changes are implemented, however, it could cause further problems for journalists and security researchers.

Burnett writes:

For now the laws are on my side because there has to be intent to commit or facilitate a crime. However, the White House has proposed some disturbing changes to the Computer Fraud and Abuse act that will make things much worse. Of particular note is 18 U.S.C. § 1030. (a)(6):

(6) knowingly and with intent to defraud willfully traffics (as defined in section 1029) in any password or similar information, or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section as the result of such trafficking;

By removing “intent to defraud,” the government would make it much easier to prosecute people that share information like the passwords Burnett released. Even data shared for educational purposes.

For now, Burnett seems to be in the clear. One programmer has already made a Twitter bot to tweet out the combinations.

(Sorry, this embed was not found.)

You shouldn’t be concerned whether your old username or password is on this list. Malicious attackers will be unable to do anything with it. But you should be concerned by the chilling effects placed on people like Burnett, in the wake of increased cybersecurity scrutiny and persecution.

For now, at least, researchers can better understand what makes us pick certain passwords thanks to this data—and try and make the Internet a little more secure.

Photo and illustration by Max Fleishman

Selena Larson

Selena Larson

Selena Larson is a technology reporter based in San Francisco who writes about the intersection of technology and culture. Her work explores new technologies and the way they impact industries, human behavior, and security and privacy. Since leaving the Daily Dot, she's reported for CNN Money and done technical writing for cybersecurity firm Dragos.